A Leaker Is Trying to Sell Data From the Supposed Oracle Breach But Nobody's Buying

In the murky world of stolen data, reputation is everything. If a threat actor can’t prove their haul is legitimate, their credibility—and their payday—evaporates. That’s exactly what seems to be happening with the alleged Oracle data breach. On 21 March 2025, CloudSEK’s XVigil discovered a threat actor, "rose87168," selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys. Oracle has been denying the breach and even since then the hacker’s attempts to sell the stolen information on dark web forums, they’re running into unexpected resistance. Buyers aren’t biting. Worse, some are openly questioning whether the breach is real at all. What makes this even more interesting is the creation of a new account on the forum some are claiming is Oracle instigating the false legitimacy of the stolen data. Join me through my research into the current issues with the oracle breach sell.

https://www.bleepingcomputer.com/news/security/oracle-customers-confirm-data-stolen-in-alleged-cloud-breach-is-valid/

The Initial Drop: A High-Profile Target.

The threat actor rose87168 first surfaced on a well-known cybercrime forum, boasting possession of a treasure trove of Oracle’s internal data. As with most high-value leaks, they kept the details vague—just enough to spark interest without giving away anything for free. A few redacted samples, a price tag, and a promise that serious buyers could verify before purchase.

The data breach contains the following items:

You would think that the Oracle breach would be easy to sell but instead of immediate offers, skepticism flooded the thread. Since Oracle has been denying claims of the breach, fellow forum members pressed for more proof, questioning the legitimacy of the dump. This isn’t uncommon—buyers don’t want to be scammed—but in this case, the pushback was unusually aggressive.

Shadowed discussions.

The discussions surrounding the Oracle data breach is something that is new to me. Usually selling a data dump is straight forward and is a short transaction. The current state is chaotic and full of skepticism among the peers. There are conversations about the hatred for Oracle and their lack of acknowledgement towards the awareness of security weaknesses. One such conversation is about one threat actor disclosing a bug in their database software and Oracle retaliating to audit into an oblivion. Needless to say, I feel that cybercriminal underbelly is not a fan of Oracle for some unknown reason.

The shadow in the room.

There also another claim that the threat actor is actually an “Insider”. This is just a claim of course but it does add an intriguing twist to this story. The conversation goes into an actor stating that there needs to be at least 10,000 lines of a sample to validate the claim of the breach. Of course, others join in as well. In the same conversation someone named tester27 claims CloudSEK planed the breach? The actor states CloudSEK planned the breach with his employee, and they work as rose aka… the threat actor. They go as far as saying that they have the whole conversation recorded and their partner is Alon Gal. Is there any foundation into this claim? At the moment it is just an accusation, but it does make question if such a thing is true. I mean we have all seen insider threats and crimes before with companies.

I thought that I had seen everything that I was going to see, and this data breach was not going to sell. A new conversation with the threat actor emerged. It was an account that was created on the 3/25/2025 and was instigating with the actor the legitimacy of the data dump. Some were even stating that the new account arguing actually belonged to Oracle or a third party to deter the selling of the data.

A Mysterious Challenger Appears

One of the most vocal critics was a newly created account that immediately cast doubt on the seller’s claims. The threat actor, already on edge, quickly accused the account of being linked to Oracle. If true, this wouldn’t be the first time a company (or a third-party threat intelligence firm) infiltrated a forum to disrupt a sale. By demanding proof, pointing out inconsistencies, and calling the actor a fraud, the account could be attempting to shake buyer confidence, making the stolen data essentially worthless. The hacker lashed out, insisting that the data was real—but the damage was already done.

First, let’s look at the account that is making the accusations. It’s a newly created account, no rank and reputation. These are the accounts that are very suspicious when it comes to transactions and actions. The last thing a new member does is challenge members with rank and reputation. It makes things obvious and suspicious at best.

During the conversation, the new account challenges the legitimacy of the data dump, and the threat actor instantly claims the new account is Oracle or a third party. The conversation starts to spread like wildfire and soon most of the members are on the side of Oracle and the new account claiming the data dump is fake.

This isn’t just a one-time issue. Selling corporate data is always a gamble. Unlike personal information, which can be quickly monetized, corporate leaks require trust. A buyer has to believe the data has value, that it’s exclusive, and that they aren’t walking into a trap. With Oracle’s name attached, the stakes are even higher. Companies of this size have entire teams dedicated to tracking and mitigating breaches. Any buyer caught dealing in stolen Oracle data could find themselves in legal crosshairs—or worse, buying worthless junk.

The Fallout: A Deal in Doubt

As of now, the sale remains in limbo. The threat actor, frustrated by the accusations, has doubled down, posting more “proof” in an attempt to salvage the deal. But the damage may already be irreversible. Buyers are hesitant, and if no one steps forward soon, the hacker might be forced to drop the price—or walk away empty-handed. For Oracle, this might be a rare win in the cat-and-mouse game of cybersecurity. If the company (or someone working on its behalf) did manage to poison the well, they’ve effectively neutralized the breach without needing to recover the data itself.

But for the hacker? In a market where trust is everything, they may have just learned the hard way that some stolen goods are simply too damaged to sell.